Which of the following is the BEST way to protect an organization's data assets?
Which of the following is the BEST way to protect an organization's data assets?
The best way to protect an organization's data assets involves ensuring that the data is secure both in transit and at rest. Encrypting data using up-to-date cryptographic algorithms provides a strong technical measure to protect data from unauthorized access and breaches. Encryption ensures that even if data is intercepted or accessed inappropriately, it remains unreadable and secure. While monitoring adherence to security policies and having them is important, the active protection of data through encryption provides a more direct and robust means of securing sensitive information.
policy vs encryption = management vs technical staff. Which is more important? I choose policy because CISSP needs you to think like a manager..
Having a hardtime to understand how "Security Policies" could be the BEST way to protect an organization's data assets. If we don't have technical controls in place - users tend to just do wheterver. Imagine having a policy that says change your password every 90 days. How many people will do that? But if GPO expires their password.... they will change it right way.
But if you don't have any policy to say when passwords should expire, would they never expire? Policy > Standards > Guidelines > Procedure
Think like a manager buddy
Technical controls come before administrative controls, Buddy
And Policy comes first that dictates what technical controls need to be placed, Buddy :-)
SOLID B .... it's more like changing the culture . Even if you use encryption at rest or in transit they can write the data down on a a sticky note , share their screen with third parties , use their cellphone and take snaps of their work computer with confidential data displayed , get hooked on a social engineering scam etc . It all boils down to the the people at the end of the day and their respect for the policy either through pure logic or out of fear of disciplinary actions (enforcement) .
B is correct
in option B . There is no clear indication as they are secure policies. So can't trust those policies if they are outdated.
I'm for the "B", encryption is part of the policy.
A, because you always pick the answer with humanless involvement when comes to security because human is not trustable. You learn this from Kelly Handerhan!
The best way to protect an organization's data assets is not a single method, but a combination of multiple methods that address different aspects and layers of data security. However, among the four options given, the most comprehensive and effective one is A. Encrypt data in transit and at rest using up-to-date cryptographic algorithms. Option B. Monitor and enforce adherence to security policies is a good practice for ensuring compliance and awareness of data security standards and regulations, but it does not directly protect data from attacks or breaches.
I think the key word is ENFORCE adherence to security policies, as policies include not only encryption requirements but other things to protect data, acceptable use for instance.
Encryption addresses the confidentiality . What about the integrity and availability of the data . . It should be policy
CHAT GP
A is more specific. If the security policy outdated or even the policy is not developed yet?
B encompasses A. B is more comprehensive than A. B could include access control and other control measures not specific to integrity or the like.
I feel it's B. Because you need to monitor and enforce. This includes due diligence and care. Security policy would tell you 5 W's. I'm going with B.
Correct Answer is B. all training suggests policy is typically the best answer. it may even encompass all of the rest of the less correct answers.
Remember Rule #1 on the CISSP exam: Think like a manager. So I'm convinced it's B.
Note the word data asset, not data itself, so B is the answer
in option B . There is no clear indication as they are secure policies. So can't trust those policies if they are outdated.
encrypting the data at rest and in transit is great for those who are unauthorized. However, the question is not that specific, reading that it applies to all types of users (authorized and not). When accounting for this interpretation of the question, B makes more sense. Additionally, B doesn't JUST list having or monitoring a policy, it is specific to also say enforce which implies technical controls.
Policy > Standards > Procedures > Guidelines CBK, 6th Edition, Figure 1.3
Answer A) you can implement all the security policies you want, but something will happen sooner or later. If you encrypt everything first, then it provides the BEST protection against theft/loss.
I'm an idiot. The actual answer is B) Monitor and enforce adherence to security policies. This can include all of the other options.